I really hate the `curl <url> | sh` specifically because if your connection drops at a specifically unlucky point in time you are left with a partially executed script which if you are unlucky enough may just have been executing `rm -r ~/.cache/<pkg>/download` but it stopped at `rm-r ~/`.

Is it likely? No. Can it happen? Yea.

Just make it `curl -o <file> <url> && sh <file>` and this entire problem is gone.

> I am genuinely curious what it tells you, as "curl https//.. | sh" has long been an enormously popular approach to distribution in the open source world.

It's plain horrible. You could have, for example, a compromised server serving malware but only one out of every 100 download. The only signature you rely on is TLS.

Proper package distribution are using proper signatures schemes, are decentralized, even for some offer reproducible builds (meaning you can rebuild the whole package yourself and verify your build matches), etc.

Hashpipe is an attempt at reproducing some of those guarantees. Not unlike container pining using hashes. It at least fixes the "Jack and John installed this already and I know I'm getting the same version as they did".

Proper software distribution is signed, reproducible and ideally also uses some proof-of-existence for the hashes.

My bet is this: in the face of the countless supply chain attacks, we'll see more and more people getting very serious about security, including the security of software distribution. And curl bash'ing won't be part of it.

What about better ideas like installing from source, or using a package manager? Or even flatpaks.

Yep, that's not an excuse. Claude goes down all the time, should pi also go down?

Oh wait (from another comment under this article): > https://pi.dev/models is throwing an internal server error for me.

There is no threat model that doesn't also apply to pretty much every other distribution method.

It's just people who have internalized "don't paste commands from the Internet into your terminal" and aren't thinking about exactly what makes pasting commands from the Internet into your terminal dangerous, and how that applies to this specific case.

Nah bro package manager where you copy and paste their custom repo and key from the same website that hosts the `.sh` is definitely safer, trust me

/s

We also accepted the security risks of npm and such and we get one supply chain attack after another.

Maybe security should be at a higher position on our priority list.

The careless days are ultimately over but we still don’t act like that.

And you can simply look at the installer by pulling it up in the browser.

Both of them provide that option. I've never installed rust without a package manager. Why would I?

I keep butting into the question of; why opencode, when you've got codex available? Codex is open source as well, and i can't seem to picture a situation where one would want Opencode over Codex.

As far as I can tell, they tick the same boxes- but one has the support of a big boy model provider.

I use Go plan precisely with Opencode IDE (and also Jetbrains IDE suite), but now also have access Gemini Pro and Claude Pro. And wonder which tooling to invest my time into, especially that MCP servers also potentially come into play here, and I want at least some models/tools to handle private tasks, like handling my increasingly-complex Home Assistant setup. And I also want to start using models according to needs (plan, execution, reviews). This shit gets extremely complicated extremely quickly, not to mention how often this field shifts direction.

We don't have any client-side telemetry. Conversations with Poolside models are stored, but you can use any ACP agent with pool. And we have plans to open-source it eventually.